Is the following statement correct: "An API token is connected to the user who created it. If that user is deleted, or demoted from an admin role, any external platform using this token will not have access anymore".

If this is correct, is there a way for an admin to create a token which is connected to another admin user (e.g. an integrations user who will never leave the company or get another role)?

Currently if a token is shared to a user for them to use and they are a Light Agent, they can use this to call the API. If that user realises that instead of using their log in name, but instead uses the log in name of an Admin then they can use that token and the admin log in name to use the API. This seems incredibly insecure...

Is this our set up that we need to change? Or Zendesk set up in general?

You are correct in that if a user is going to have access to a token attributed to a different user it would be insecure, as tokens are inherently private methods of authentication. It would be similar to sending passwords out, and we advise against sharing Tokens amongst agents for this reason.